CVE-2026-52987

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: avoid double drm exec fini() in userq validate

When new addition is true, amdgpu userq vm validate() calls drm exec fini(&exec) before iterating over the collected HMM ranges and calling amdgpu ttm tt get user pages().

If amdgpu ttm tt get user pages() fails in that path, the code jumps to unlock all and calls drm exec fini(&exec) a second time on the same exec object. drm exec fini() is not idempotent: it frees exec->objects and may also drop exec->contended and finalize the ww acquire context.

Route that error path directly to the range cleanup once exec has already been finalized.

Issue found using a prototype static analysis tool and confirmed by code review.

(cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)